There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.

The panic is 100% reproducible on my system and I have a few kernel
dumps from the situation, if somebody needs tehm. I have attached a
band-aid kind of patch, which seems to work, at least with it the samba
works as expected, but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.

The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.

[...]
>> There seems to be a problem in prison_replace_wildcards() at
>> sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
>> kgdb.txt contains my attempt at debugging the situation.
>>
>> The panic is 100% reproducible on my system and I have a few kernel dumps
>> from the situation, if somebody needs tehm. I have attached a band-aid kind
>> of patch, which seems to work, at least with it the samba works as expected,
>> but perhaps it is not a correct solution.

td is a samba kernel thread created in smb_iod_create() by calling
kthread_create_compat() which according to its comment is used only for samba.

kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
NULL (it points to the forked process). This explains why the td_proc == NULL
check at the beginning of prison_replace_wildcard(), which is presumably there
for detecting kernel threads, fails.

prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
so your patch looks good and a committed it. In the longer term, changing
samba to create a lwkt is probably the way to go.

> td is a samba kernel thread created in smb_iod_create() by calling
> kthread_create_compat() which according to its comment is used only for samba.
>
> kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
> different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
> NULL (it points to the forked process). This explains why the td_proc == NULL
> check at the beginning of prison_replace_wildcard(), which is presumably there
> for detecting kernel threads, fails.
>
> prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
> so your patch looks good and a committed it. In the longer term, changing
> samba to create a lwkt is probably the way to go.